Re: xprobe 0.2
From: Ryan Permeh (ryan@eEye.com)Date: 10/28/01
- Previous message: Steve Culligan: "ICMP unreachable question"
- In reply to: nobody: "xprobe 0.2"
- Next in thread: Ofir Arkin: "RE: xprobe 0.2"
- Reply: Ofir Arkin: "RE: xprobe 0.2"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <012201c15fde$b0438d00$1e00a8c0@eCompany.gov> From: "Ryan Permeh" <ryan@eEye.com> To: "nobody" <pentester@yahoo.com>, <pen-test@securityfocus.com> Subject: Re: xprobe 0.2 Date: Sun, 28 Oct 2001 10:30:58 -0800
the codebases are exactly the same(or should be). kernels between
workstation and server should be the same. The main difference is in
tuning, a few registry checks, and sometimes more software is installed. If
you can use theese techniques to id the different systems, you may have a
chance. try looking at things like #of syns before dropping, perhaps
distribution of ISN's, or something along those lines.
Signed,
Ryan Permeh
eEye Digital Security Team
http://www.eEye.com/Retina -Network Security Scanner
http://www.eEye.com/Iris -Network Traffic Analyzer
http://www.eEye.com/SecureIIS -Stop Known and Unknown IIS Vulnerabilities
----- Original Message -----
From: "nobody" <pentester@yahoo.com>
To: <pen-test@securityfocus.com>
Sent: Friday, October 26, 2001 6:25 AM
Subject: xprobe 0.2
> All,
>
> the new xprobe 0.2 works well - as far as it goes.
> But - does anyone know if there is sufficient
> difference between the tcp/ip signature of an NT
> WORKSTATION and an NT SERVER OS.
>
> Problem:
>
> I need to (without making a windows connection via SMB
> using pgms like gettype, winmsd, winffingerprint
> etc..)
> determine which Windows machines are running NTSERVER
> OS.
>
> Does anyone know or think the the tcp/udp packet
> response from the NT SERVER will be different enough
> from the NT WORKSTATION - so that I can tell them
> apart. again - i cannot use the normal windows
> connections to do this (no port 139 connections).
>
> If there are any difference in the packet response -
> then I could add an NT SERVER (does not matter if it
> is NT or W2K) to the signature file for xprobe 0.3 ??
>
> any help ?
>
> thanks
>
>
> __________________________________________________
> Do You Yahoo!?
> Make a great connection at Yahoo! Personals.
> http://personals.yahoo.com
>
> --------------------------------------------------------------------------
-- > This list is provided by the SecurityFocus Security Intelligence Alert (SIA) > Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please see: > https://alerts.securityfocus.com/ > >---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
- Previous message: Steve Culligan: "ICMP unreachable question"
- In reply to: nobody: "xprobe 0.2"
- Next in thread: Ofir Arkin: "RE: xprobe 0.2"
- Reply: Ofir Arkin: "RE: xprobe 0.2"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
